BLOG

25 years ago, one of the most common targets of a network was the web server. This was the access point that, if successfully penetrated, could open a path for accessing systems on the internal side of the network. These servers were easy targets because they were public-facing systems designed to be accessed by anyone wanting to obtain services or information. This public-facing nature is the same today, but cybersecurity professors often train on the importance of moving the web server off the internal segment of the network and placing it into a separate enclave to lessen or eliminate this type of attack.

The Role of DMZ in Network Security
The demilitarized zone (DMZ) network was created as a network segment where public-facing systems could be placed without the risk of anyone passing through those systems into portions of the network that should not be accessible by the public. The DMZ has worked well for this purpose, and it is still in use today on larger networks, but it can be more difficult to manage on smaller networks that do not have the resources or personnel to maintain a more secure infrastructure. Cybersecurity students should be taught how to protect a variety of networks using different methodologies when constraints keep them from installing every available bell and whistle or configuring multiple network segments.

Integrating Risk Transference Concepts in Cybersecurity Curricula
One method cybersecurity professors should focus on is the option of transferring the risk of attack off of the network and making it someone else’s responsibility. In the risk management arena, risk transference is a powerful tool to lessen the amount of risk an organization accepts. Organizations already do this in many arenas and the concepts are already embedded in most cybersecurity higher education programs. We can use this risk transference approach with web servers by simply removing them from the organization’s network and outsourcing them to a third-party organization.

A plethora of web hosting services now exist that organizations can use to provide a front end to their customers without putting their internal networks at risk. This works well for simple information sharing and as a front end for customer contact. Professors should include this concept within their classes and show that an outsourced web presence is a viable option except for cases where back-end databases need to hook into the web server. This configuration also has the added benefit of transferring the server management and update responsibilities. This outsourcing capability can be plausible for other public-facing services as well.

Students need to be taught how to think outside of the box. The largest organizations have the budgets to set up a DMZ, 24/7 monitoring capabilities, and hire personnel to manage a hardened security posture. However, the smaller networks rarely have these types of capabilities. Smaller budgets do not need to survive with poor security capabilities. Cybersecurity professors should teach that many methods can be used within the constraints of a smaller organization’s resources to maintain a rigorous security posture and outsourcing the web server is a perfect way to work within these constraints. There are certainly some downsides to this, and those need to be considered as well.

Control vs. Outsourcing in Organizational Strategy
Management is not always keen to move resources outside of their control. Many would rather have the devices within the organization’s footprint and assign more responsibilities to those managing other systems. A student who is well educated in these concepts can explain to company leadership the value outsourcing has and balance that value with the assurance that the security benefits far outweigh any associated costs. Of course, there are situations where outsourcing is not a great option.

Risks and Limitations of External Data Storage
Third-party organizations should never be used to store or provide sensitive information. Sensitive data should always stay within the control of the organization. Transferring this data to an external source may decrease the risk of attack, but it would also place data into the hands of people outside of the organization’s control. So, in some industries, outsourcing may not be an option. Students should be taught how to analyze the purpose of external-facing devices to determine the most secure options in different situations. One should not always recommend outsourcing or do the opposite. Each network needs to be evaluated based on the needs and capabilities of the organization. We also need to consider the capabilities of the providers where services are outsourced.

Service reliability is one of the most important variables when outsourcing any service to another organization. They should be removed from the list of considerations if they cannot guarantee close to 100% uptime, on-time patching and updates, and robust security solutions. Outsourcing is more than handing the reigns to someone else, it must be a methodical process that reviews all needs and capabilities before pulling the trigger on any configuration changes. Students should be instructed on how to evaluate the capabilities of third-party services when considering the option of outsourcing so that the final solution will be tailored to exactly what an organization needs.

There are many ways to secure a network. Some methods harden the exterior, place extensive monitoring devices at the perimeter, establish DMZ segments, and monitor activity on a 24/7 schedule. These are all great methods. Outsourcing is also a great method and is particularly valuable to those who cannot afford to bring every plausible security device to bear. It is important in the education arena to teach the future members of our cybersecurity workforce that creativity is sometimes necessary and that it is not a bad thing. The more well-rounded and well-versed students are, the more prepared they will be for the real world where events are rarely the same as textbook scenarios.